O'reilly Security Podcast - O'reilly Media Podcast

The O’Reilly Security Podcast: Speaking other people’s language, security for small businesses, and how shame is a terrible motivator.In this episode, I talk with Jessy Irwin, VP of security and privacy at Mercury Public Affairs. We discuss how to communicate security to non-technical people, what security might look like for small businesses, and moving beyond shame. We also meet her neighborhood gang of grannies who’ve learned how to hack back.Here are some highlights: Speaking other people’s language One of the first things I do when talking to non-technical people is to stop using jargon. The average person doesn't know what encryption is, and if they've heard of the word before, it probably is perceived as something for terrorists, not for them. Password manager is not an intuitive phrase to most people, so I could say, "Well, you need a password app," and suddenly the whole world becomes a different place for someone who didn't realize that such a thing exists. It’s important that we c

The O’Reilly Security Podcast: The problem with perimeter security, rethinking trust in a networked world, and automation as an enabler.In this episode, I talk with Doug Barth, site reliability engineer at Stripe, and Evan Gilman, Doug’s former colleague from PagerDuty who is now working independently on Zero Trust networking. They are also co-authoring a book for O’Reilly on Zero Trust networks. They discuss the problems with traditional perimeter security models, rethinking trust in a networked world, and automation as an enabler.Here are some highlights: The problem with perimeters Evan: The biggest issue with a perimeter model is that it tends to encourage system administrators to define as few perimeters as possible. You have your firewall, so anything out on the internet is bad, anyone on the inside is trusted, and maybe down the line you'll further segment this and add more firewalls. Maybe if you're really rigorous, you might do per-host firewalls, but in reality, most people say, ‘I

The O’Reilly Security Podcast: Saving the Network Time Protocol, recruiting and building future open source maintainers, and how speed and security aren’t at odds with each other.In this episode, O’Reilly’s Mac Slocum talks with Susan Sons, senior systems analyst for the Center for Applied Cybersecurity Research (CACR) at Indiana University. They discuss how she initially got involved with fixing the open source Network Time Protocol (NTP) project, recruiting and training new people to help maintain open source projects like NTP, and how security needn’t be an impediment to organizations moving quickly.Here are some highlights: “Help. I need a sysadmin.” It all started in February of 2015 when the NTP implementation maintainer, Harlan Stenn, came to me. Among NTP's many problems, there was a build box, and the entire build server—the entire build system—depended on this one server in Harlan's home continuing to function. Harlan no longer had the root password for the system, couldn't update

The O’Reilly Security Podcast: Human error is not a root cause, studying success along with failure, and how humans make systems more resilient.In this episode, I talk with Steven Shorrock, a human factors and safety science specialist. We discuss the dangers of blaming human error, studying success along with failure, and how humans are critical to making our systems resilient.Here are some highlights: Humans are part of complex sociotechnical systems For several decades now, human error has been blamed as the primary cause of somewhere between 70% to 90% of aircraft accidents. But those statistics don’t really explain anything at all, and they don’t even make sense because all systems are composed of a number of different components. Some of those components are human—people in various positions and roles. Other components are technical—airplanes and computer systems, and so on. Some are procedural, or are soft aspects like the organizational structure. We can never, in a complex sociotech

The O’Reilly Security Podcast: Sniffing out fraudulent sleeper cells, incubation in money transfer fraud, and adopting a more proactive stance.In this episode, O’Reilly’s Jenn Webb talks with Fang Yu, cofounder and CTO of DataVisor. They discuss sniffing out fraudulent sleeper cells, incubation in money transfer fraud, and adopting a more proactive stance against fraud.Here are some highlights: Catching fraudsters while they sleep Today's attackers are not using single accounts to conduct fraud; if they have a single account, the fraud they can conduct is very limited. What they usually do is construct an army of fraud accounts and then orchestrate either mass registration or account takeovers. Each of the individual accounts will then conduct small-scale fraud. They can do spamming, phishing, and all different types of malicious activity. But because they use many coordinated individual accounts, the attacks are massive in scale. To detect these, we take what is called an unsupervised machi

The O’Reilly Security Podcast: DRM in unexpected places, artistic and research hindrances, and ill-anticipated consequences.In this best of 2016 episode, I revisit a conversation from earlier this year with Cory Doctorow, a journalist, activist, and science fiction writer. We discuss the unexpected places where digital rights management (DRM) pops up, how it hinders artistic expression and legitimate security research, and the ill-anticipated (and often dangerous) consequences of copyright exemptions.Early in 2016, Cory and the Electronic Frontier Foundation (EFF) launched a lawsuit against the U.S. government. They are representing two plaintiffs—Matthew Green and Bunnie Huang—in a case that challenges the constitutionality of Section 1201 of the Digital Millennium Copyright Act (DMCA). The DMCA is a notoriously complicated copyright law that was passed in 1998. Section 1201 is the part that relates to bypassing DRM. The law says that it's against the rules to bypass DRM, even for lawful purposes, and it imp

The O’Reilly Security Podcast: Designing for security and privacy, noteworthy tools, and the real-world consequences of design.In this episode, O’Reilly’s Mary Treseler talks with Ame Elliot, design director at Simply Secure. They discuss designing for security and privacy, noteworthy tools, and the real-world consequences of design.Here are some highlights: Designing for usable security and privacy Privacy and security are tightly interrelated. Privacy, or confidentiality, is one technical goal of security. Other technical goals of security include integrity and non-reputability. As a UX designer, I’m coming at this from a human-centered design perspective. I care about what end users experience, and privacy feels like the quality that people are looking for in an interaction. I would like to see designers working together with some of the fantastically talented cryptographers to make security usable and delightful so that end users can experience privacy. In order to do that, there's a rea

The O’Reilly Security Podcast: Randomness, our dependence on entropy for security and privacy, and rating entropy sources for more effective encryption.In this episode, I talk with Richard Moulds, vice president of strategy and business development at Whitewood Encryption. We discuss whether random number generation is as random as some might think and the implications that has on securing systems with encryption, how to harness entropy for better randomness, and emerging standards for evaluating and certifying the quality of entropy sources.Here are some highlights: Randomness: The linchpin of encryption When people think about cryptography, which is a broad subject, they tend to think about encryption. They think about the algorithms we use to encrypt our data, the keys we use, and how to keep these keys secret. A key is just a random number. Generally speaking, crypto in encryption applications gets these random numbers from the operating system. There are standard calls that you can make

The O’Reilly Hardware Podcast: Safeguarding against new privacy risks.In this episode of the O’Reilly Hardware Podcast, Jeff Bleiel and I speak with Gilad Rosner, a privacy and information policy researcher, and the founder of the Internet of Things Privacy Forum.  Rosner is also the author of the recently-published free O’Reilly ebook, “Privacy and the Internet of Things.”Discussion points: Current concerns about how widely information collected by IoT devices will be shared Current and future regulations affecting both governmental and private actors Similarities and differences between privacy attitudes and laws in the U.S. and Europe Why privacy is essential for the existence of democratic societies What to expect in the near future in data protection regulation in both the U.S. and Europe Links The non-profit Online Trust Alliance Privacy and surveillance researcher and writer Karen Levy,

The O’Reilly Security Podcast: Thinking like an epidemiologist, using data and patterns, and escaping reactive tendencies.In this episode, I talk with security architect Efrain Ortiz. We discuss how epidemiology can be applied to infosec, the parallels between using data and patterns to diagnose disease and find endpoint problems, and how to think like an epidemiologist in order to get out of reactive approaches to security at your own organization.Here are some highlights: Epidemiological thinking I started reading books about epidemiology, including one about Dr. John Snow (no relationship to Game of Thrones), who lived in London in the mid-1800s. Back then, everybody thought you got sick from bad smells (miasma theory). In 1854, there was a cholera outbreak in London, and Dr. Snow did something very different, something that hadn't been done before. He walked around and mapped out when and where somebody died. When he laid out the map, a pattern emerged: there was a water pump in the midd

The O’Reilly Security Podcast: Building cathedrals, empowering the watchers, and breaking out of the security monoculture.In this episode, I talk with Brendan O’Connor, a security researcher, lawyer (but not your lawyer) and owner of security consulting firm Malice Afterthought. We discuss creating a culture that celebrates collaborative teamwork over harried heroes, how monitoring and checklists really can save lives, and breaking out of the security monoculture.Here are some highlights: From statues to cathedrals There's some point in a company where you have to move from the age of heroes, where you build statues of people and put them on plinths, to the age of cathedrals. Cathedrals are compliance-driven operations—they're enormous buildings that have tons of people with very different specialties creating them. You have your bricklayer, you have your ditch digger, you have your sidewalk builder, you have your marble person, you have the person who paints the ceiling. There are all these

The O’Reilly Security Podcast: Coarse-grained security, embracing the ephemeral, and empathy for everyone.In this episode, I talk with Dan Kaminsky, founder and chief scientist at White Ops. We discuss what a National Institutes of Health (NIH) for security would look like, the pros and cons of Docker and ephemeral solutions, and how the mere act of listening to people better can improve security for everyone.Here are some highlights: Creating an NIH for security research The hard truth is that there just are societal scale problems: cities burn, people need to transit from one location to another, we need food that doesn't poison us. The reality is that there are problems that affect all of us if they're present. The Internet is not a safe place right now, and, more importantly, the tools we’re using to interact with it are relatively broken. This is a problem, but we shouldn't be ashamed. I think we need to have a larger-scale response to the problems of the Internet. I

The O’Reilly Security Podcast: Where bits and bytes meet flesh, misaligned incentives, and hacking the security industry itself.In this episode, I talk with Josh Corman, co-founder of I Am the Cavalry and director of the Cyber Statecraft Initiative for the non-profit organization Atlantic Council. We discuss his recent work advising the White House and Congress on the many issues lurking in safety-critical systems in the health care industry, the misaligned incentives across health care, regulatory bodies and the software industry, and the recent incident between MedSec and St. Jude regarding their medical devices.Here are some highlights: Where bits and bytes meet flesh I asked Josh to comment on his advisory role with the White House for the Presidential Commission on Enhancing Cybersecurity: Previous testimony from JPMorgan Chase said that they had over 2,000 full-time security people and they spend over $600 million a year securing things and they still get

The O’Reilly Security Podcast: Modern server hardening, institutional inertia, and new approaches to desktop security.In this episode, I talk with Kyle Rankin, vice president of engineering operations at Final, a credit card startup. We discuss old versus new approaches to server hardening in light of the cloud, how institutional inertia thwarts change, and the new security-minded desktop OS Qubes.Here are some highlights: Organizational inertia and security To me, a pretty big problem is that there are a lot of outdated approaches that just haven't been brought up to date. I think the biggest barrier to change is inertia. If you go to a lot of orgs that have had systems around for a while, getting everyone to generate an SSH key and use it is one big thing. Another thing is, a lot of orgs have all these other security practices, like sharing group accounts, for instance; all of the developers may have one role account called ‘developer’ on all machines, and they just share the pas

The O’Reilly Security Podcast: The origins of LangSec, rigidity vs. robustness, and using game theory to make security better for everyone.In this episode, I talk with Meredith Patterson, a software engineer and leader of the Langsec Conspiracy. We discuss the origins of LangSec, rigidity versus robustness, and game theory as it applies to organizational approaches to security.Here are some highlights: The origins of LangSec One evening I was having dinner with another fellow grad student who was doing security, and we were talking about SQL injections. He explained to me how it was possible with some web applications or HTML forms to add additional phrases of SQL in such a way that you could trick a database into executing arbitrary queries for you. He was explaining to me that people try to white list or black list against certain regular expressions to try to prevent this from happening, but it doesn't work terribly well. I said, 'That's silly, because SQL is a context free lang

The O’Reilly Security Podcast: The chilling effects of DRM, nascent pro-security industries, and the narrative power of machines.In this episode, I talk with Cory Doctorow, a journalist, activist, and science fiction writer. We discuss the EFF lawsuit against the U.S. government, the prospect for a whole new industry of pro-security businesses, and the new W3C DRM specification.Here are some highlights from our discussion around DRM: How to sue the government: Taking on the DCMA We [Electronic Frontier Foundation] are representing [Bunnie Huang and Matthew Green] in a case that challenges the constitutionality of Section 1201 of the DMCA. The DMCA is this notoriously complicated copyright law, the Digital Millennium Copyright Act, that was brought in in 1998. Section 1201 is the part that relates to bypassing digital rights management (DRM), or digital restrictions management as some people call it. The law says that it's against the rules to bypass this, even for lawful p

The O’Reilly Security Podcast: Vulnerabilities in assembled software and the need for immediate developer feedback.In this episode, I talk with Chris Eng, vice president of research at Veracode, a software security-as-a-service business. We discuss Veracode’s research on application security across a broad spectrum of industries, the challenges of securing modern “assembled” software, and making it easier for developers to bake in security from the get-go.Here are some highlights: Software security: Some assembly required No one is writing software from scratch these days. Now, building software is more like assembling software from ingredients. You pull together a library for this, a library for that, and then, by the way, your shiny new piece of software inherits all the security holes in those libraries. As the product matures over time, people start to lose track of what went into it, nobody keeps an inventory of those libraries, and people don't upgrade libraries if t

The O’Reilly Security podcast: DevOps, risk reduction, and vulnerabilities in open source.In this episode, I talk with Guy Podjarny, founder of Snyk, a developer tooling company focused on securing open source alongside building a business. We discuss the parallel paths between the transformation from Ops teams to DevOps and where security teams are right now, building security tools focused on the people who will be using them, and who owns the problem of vulnerabilities in open source.Here are some highlights: Parallel paths of DevOps and security People think of DevOps positively, now. They think of all the awesome things that an ops team, a DevOps team, can do for them, and it would be amazing to try to convert that sentiment and that knowledge and that community into the world of security. We still need to find the analogies for that in security. Building positive security tools It's constantly hard, reducing risk without being a fear monge

The O’Reilly Security Podcast: Systems, design, and emergent social structures.In this episode, I talk with Eleanor Saitta, a security architect at Etsy. We talk about how security isn’t really about what happens to computers—it’s about what happens to the people using those systems; the relationship between design and security; and shifting the industry’s focus to think about security as a product of shared human outcomes.Here are some highlights: Security is about what happens to people, not machines No one cares about what code is running on this machine or who authorized it or anything like that, except to the extent that it affects some human being. Now, because in many cases we don't have other options that don't involve interacting with some human being, we effectively do really care about what code runs on the machines. Of course, I don't want to pretend that the low level doesn't matter. Starting from that high level is beneficial in its ability to teach us what we actuall

The O’Reilly Security Podcast: Statistical literacy, machine learning, and data visualization.In this episode of the Security Podcast, I talk with Jay Jacobs, senior data scientist at BitSight. We discuss the disparity between intuition and analytics in data science, the limitations of unsupervised machine learning, and the challenges of creating effective data visualizations.Here are some highlights: Intuition vs. analytics It comes down to this battle between intuition versus data analysis. We've been a very intuitively driven industry. The challenge with that is that in a complex environment, our intuition can be easily fooled. Not to say that intuition isn’t valuable. There's a huge value in intuition and expertise in our industry. At the same time, if we really want to understand what's going on, we have to take a step back and actually start to collect data and make sense of that data. The limitations of unsupervised machine learning Unsupervised machine le